Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

Tumblr has added a very important security feature to its service, with the addition of two-factor authentication – an option available within the blogging service’s “Settings” section as of now. The move sees Tumblr at last joining the ranks of other top tech companies, including Facebook, Google, LinkedIn and Twitter, the majority of which offer some sort of two-factor authentication in order to provide an extra layer of security and protection for user accounts, making them less vulnerable to unauthorized access by hackers.

Two-factor authentication, for those who don’t understand what that means, is a blanket term describing a method involving two stages (factors) for verifying a user’s identity. Simply put, it means you need two things in order to prove you are who you say you are – not just a username and password. One typical scenario would involve a user providing something they know, like a password, combined with something they have, like a cell phone tied to a verified phone number.

In Tumblr’s case, the cell phone scenario is exactly the method they’re using. On the Account Settings page, users can first step up two-factor authentication by doing the following:

Click “Enable” next the new Two-Factor setting

Enter your cell phone number and Tumblr password

Decide if you want to get the code via text message or an authenticator app (like Google Authenticator). Or both.

Follow the steps on the Settings page to complete the process, which includes configuring two-factor for your Tumblr mobile apps.

After setup is complete, you’ll then need to provide the authentication code at the time of login in an additional field below the username and password box on the web (see screenshot above). On mobile, you’ll also need to generate a special one-time password in order to log in through your mobile apps on iOS or Android, Tumblr notes.

Unfortunately, in initial tests, we had some difficulties getting Tumblr to accept the provided code, and attempts at having the code re-sent failed, implying there could still be some kinks in to work out here. [Update: after waiting a bit and trying a third time, the system worked flawlessly.]

Tumblr users with two-factor authentication switched on will immediately be less vulnerable to attacks and hacking attempts. While nothing will absolutely protect you from someone determined to gain unauthorized access to your account on Tumblr or anywhere else, two-factor authentication makes it much harder, as the would-be hacker would need both your username and password, and physical access to your phone to proceed.

Tumblr until recently was one of the few companies cited on TwoFactorAuth.org, a website that lists which services support two-factor (abbreviated 2FA), and which methods they offer – like SMS, Google Auth, Authy, or another custom method. Most of the big-name tech companies – at least in the social space – either support 2FA or have it in development, like Reddit, noted as being “in progress.” Tumblr, however, was the only social service listed that was noted as lacking 2FA altogether.